The More You Know: Data Protection Laws and Regulations

Non-profit organizations rely on the data they collect to make informed business decisions in a number of areas: 

Which patrons donated last year and when should you solicit them again? How much ticket revenue was generated by your newest installation? How are memberships performing this year as opposed to last?

Every organization collects different data for different reasons. This also means that patron data is stored and disposed of differently by each company.  Regardless of what is collected and why, one thing is common. All organizations hope to protect the data they collect in order to build trust among their consumer base.

This notion raises several questions: What data are organizations allowed to collect and what is off limits? How long are we required to hold on to this sensitive data? In what ways are organizations allowed to utilized what they collect? Finally, what legal responsibility do arts organizations have with respect to the protection of sensitive patron data?

The answers to these questions vary depending on where in the world an organization conducts its business. For the sake of our own platform, AMT Lab, the majority of our readers reside in the United States and countries of Western Europe, all part of the European Union. In this article we will examine the rules, regulations, and legislation regarding the collection and use of digital data for arts organizations in these two geographic areas.


United States


 At the federal level, the United States currently has no legislation specifically outlining how organizations should collect and utilize patron data. While no laws exist in this realm, there are a number of citizen protections in the form of privacy rights and laws. The majority of these laws readers may be familiar with, such as the medical industries HIPPA regulations. However, with regards to non-profit and arts organizations, the laws an arts manager should be concerned with are those put forth by the Federal Trade Commission. The FTC is responsible for protecting consumers, including arts patrons.

The most commonly cited enforcement is the Federal Trade Commission Act, this act protects consumers against abuses made by companies who do not comply with online and offline privacy policies that patrons agree to when doing business with an organization. An example of this would be selling patron email addresses to a marketing firm, when the patron was told explicitly that their personal information would not be traded or sold. The FTC also enforces acts with respect to children’s privacy rights online.

 With the advent of digital experiences in museums, galleries, and similar spaces which invite users to bring their own device, we as arts managers may begin to see The Electronic Communications Privacy Act become more prevalent. This act regulates the way in which businesses may intercept communications from electronic devices. When an organization creates interactive experiences utilizing Bluetooth or wifi capabilities of a patrons phone, they are entrusted by the patron to not collect or intercept private data from their device. This is something all arts organizations must be cognizant of when offering these types of services.


State by State Regulations & Protections

Privacy laws vary greatly from state to state. It is the responsibility of an arts manager to understand exactly what state-level protections exist for both their organization and the patrons they interact with. The most strict state in terms of consumer protections is California, while the states of Alabama and South Dakota currently have no security breach laws and few consumer protections.

The primary state level legislation for most are the Security Breach Notification Laws.  These laws require organizations to notify patrons whenever a breach of security occurs that compromises their data. These laws outline the timelines and procedures for doing so and vary by state.


The Federal Trade Commission has the authority to bring suit against any business it finds in violation of its numerous laws and regulations. These suits typically result in monetary fines paid by the business for damages and services its patron’s may require as a direct result of the businesses error in handling their personal and private data. Many sources exist for all of the finer points on data collection and protection. The source here provides a thorough overview and answers many questions arts managers may have.


European Union & Other Countries


The countries of Europe stand in stark contrast to the United States. The European Union has a comprehensive list of data security laws and directives that are administered by each member country according to their desires. The ways in which data is collected, stored, sold, and deleted are all heavily regulated practices.

The most commonly known piece of legislation, and the one most relevant to arts organizations is The Data Protection Act of 1998. At its surface, this act regulates how personal information is used by organizations and follows a list of “Data Protection Principles” which are:

·       Used lawfully and fairly

·       Used for limited, specifically stated purposes

·       Used in a way that is adequate, relevant and not excessive

·       Accurate

·       Kept for no longer than necessary

·       Kept safe and secure

·       Not transferred outside the European Economic Area

Stronger legal protections exist for certain types of data depending on how sensitive it is. This includes ethnic profiles, political opinions, religious beliefs, health, and criminal records.

Many European countries also implement “right to be forgotten” acts. These legislations allow consumers to request that any and all information regarding their personal profiles and activities be removed from a given website.

Beginning in 2018, European Union members will enact the General Data Protection Regulation (GDPR). This comprehensive list of rights and protections builds upon the 1998 legislation and was created for the age of cybercrime we currently live in. With businesses of all sizes now being targeted by cyber-criminals, it is expected that these laws will be quickly and widely adopted.

The primary change in these laws revolves around consent. Companies must now keep accurate records as to when an individual gives consent for their personal data to be stored or utilized. This consent must be active, meaning checking a box is no longer enough. Individuals can revoke consent at any time.  In the event of a data breach or attack all patrons must be notified within a 72 hour window. Companies must also provide steps and suggestions for recourse following an attack.

As with any business or legal issue that may arise for your arts organization, if you have any questions about what your responsibilities are as an organization, or what rights your patrons are afforded, contact your legal council or local department of commerce. New data laws and regulations are dense and can change rapidly. All members of your organization who handle private data of patrons should be well versed in the legal and ethical spheres that surround it.

Have your organization’s businesses practices changed due to the rise in cyber-crime? If so tell us your best practices in the comments below!